Server Side Encryption: S3 <-> KMS to encrypt data

SSE-S3: AWS S3 manages its own keys (rotated every month)

Request Header - x-amz-server-side-encryption(AES256)

SSE-KMS: Customer manages keys in KMS

Request Headers - x-amz-server-side-encryption(aws:kms) and x-amz-serverside-encryption-aws-kms-key-id(ARN for key in KMS)

SSE-C: Customer sends key with request (HTTPS mandatory)

S3 performs encryption and decryption without storing the key

Use HTTPS endpoints (secure data in transit)

All AWS services (including S3) provides HTTPS endpoints

Client Side Encryption: Client manages encryption

Client sends encrypted data to AWS service

AWS will not be aware of master key or data key

AWS service stores data as is

Use a client library (Amazon S3 Encryption Client)